package com.luoqiz.securityrs.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler;

@Configuration
@EnableResourceServer
@EnableWebSecurity
public class ResourceServerWebSecurityConfig extends ResourceServerConfigurerAdapter {

	@Autowired
	private OAuth2WebSecurityExpressionHandler expressionHandler;

	private static final String[] AUTH_WHITELIST = { "/auth/**", "/**/v2/api-docs", "/swagger-resources",
			"/swagger-resources/**", "/configuration/ui", "/configuration/security", "/swagger-ui.html",
			"swagger-resources/configuration/ui", "/doc.html", "/webjars/**" };

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests().antMatchers("/v2/api-docs", "/auth/**").permitAll();

		ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http
				.authorizeRequests();
		for (String au : AUTH_WHITELIST) {
			http.authorizeRequests().antMatchers(au).permitAll();
		}

		http.authorizeRequests().anyRequest().authenticated();
		registry.anyRequest()
				.access("hasRole('ROLE_admin') or hasAuthority('admin')");
//				.access("hasRole('ROLE_admin') or @permissionService.hasPermission(request,authentication)");
//		registry.anyRequest().access("@permissionService.hasPermission(request,authentication)");
	}

//	@Override
//	public void configure(ResourceServerSecurityConfigurer resources) {
//		resources.tokenServices(tokenServices()).expressionHandler(expressionHandler);
//
//		resources.accessDeniedHandler(authorizeAccessDeniedHandler);
//	}

	@Bean
	public OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler(
			ApplicationContext applicationContext) {
		OAuth2WebSecurityExpressionHandler expressionHandler = new OAuth2WebSecurityExpressionHandler();
		expressionHandler.setApplicationContext(applicationContext);
		return expressionHandler;
	}
}
